Austin, TX – April 11, 2019 — CynergisTek, Inc. (NYSE AMERICAN: CTEK), a leader in healthcare cybersecurity, privacy, and compliance, today released its annual report, Measuring Progress: Expanding the Horizon. The 2019 report provides a sobering analysis of how healthcare provider organizations measured against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the HIPAA Security and Privacy Rules, which outlines best practices for healthcare organizations to adopt to manage cybersecurity risks.

CynergisTek’s 2019 report aggregates ratings from privacy and security assessments performed in 2018 at nearly 600 healthcare provider organizations and business associates across the nation to reveal an average 47% conformance with NIST CSF controls and an average 72% conformance with the HIPAA Security Rule. This reflects only a 2% increase with conformance with NIST CST and a 2% decrease in conformance with the HIPAA Security Rule from the previous year’s findings. New areas of research in the report take a deeper look into the Five Core Functions of the NIST framework, and a new section focused on top privacy issues based on CynergisTek’s privacy assessments and privacy monitoring service. The report also examines the leading risks posed by third-party vendors.

Additional findings and insights from the Measuring Progress: Expanding the Horizon report include:

74% of unauthorized insider access to patient records was users’ household members and the second most common was accessing high profile (VIP/confidential) patient data.

Over 60% of privacy assessments found gaps in maintaining written policies and procedures to guide workforce members in managing all or some of these uses and/or disclosures of PHI.

The most common gaps among third-party vendors included risk assessment, access management, and governance.

In terms of the Five Core Functions, there was a surprising .4% decline in Awareness and Training this year.

The average rating for the Respond and Recover Function was 2.5 (on a scale of 0 – 5), indicating the healthcare industry is still not as prepared to respond to a cyber incident as they should be.

“The slight decline in the Awareness and Training category under the Protection Function is very alarming considering how much more sophisticated attackers were with targeted phishing attempts and new attack vectors, such as medical devices,” said David Finn, Executive Vice President of Strategic Innovation at CynergisTek. “Furthermore, the fact that we did not see any improvement in either the Respond or Recover functions means we may be losing even more ground with the increased number of attacks last year. Organizations need to take into account whether their individual security needs are actually being met in order to be truly secure, and not only compliant.”

CynergisTek’s 2019 report demonstrates that compliance and security are not one-in-the same. After being in effect for 14 years, the industry is still only achieving 72% compliance on the HIPAA Security Rule, a C-level grade at best. From a technical security perspective, this rule is no longer as relevant, since being compliant with an older, out of date rule is not about security, it is about checking boxes, and that is not a measure of risk posture or actual security. The report results highlight the growing need for healthcare organizations to make serious investments in cybersecurity readiness, as cybersecurity has become one of the top business risks facing healthcare today.

The report also includes expertise and analysis from CynergisTek’s thought leaders, as well as proven best practices for strengthening privacy and security controls at healthcare organizations. The full report can be downloaded here.

About CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity firm dedicated to serving the information assurance needs of the healthcare industry. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. Since 2004, the company has served as a partner to hundreds of healthcare organizations and is dedicated to supporting and educating the industry by contributing to relevant industry associations. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.